On Verifying a File System Implementation 



Konstantinc Arkoudas, Karen Zee, Viktor Kuncak, Martin Rinard 

MIT Computer Science and AI Lab 

{arkoudas, kkz, vkuncak,rinard}@lcs .mit .edu 

MIT CSAIL Technical Report 946 vkohs 



Abstract. We present a correctness proof for a basic file system imple- 
mentation. This implementation contains key elements of standard Unix 
file systems such as inodes and fixed-size disk blocks. We prove the im- 
plementation correct by establishing a simulation relation between the 
specification of the file system (which models the file system as an ab- 
stract map from file names to sequences of bytes) and its implementation 
(which uses fixed-size disk blocks to store the contents of the files) . 
We used the Athena proof checker to represent and validate our proof. 
Our experience indicates that Athena's use of block-structured natural 
deduction, support for structural induction and proof abstraction, and 
seamless connection with high-performance automated theorem provers 
were essential to our ability to successfully manage a proof of this size. 
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1 Introduction 

In this paper we explore the challenges of verifying the core operations of a stan- 
dard Unix file system [20, 16]. We formalize the specification of the file system as 
a map from file names to sequences of bytes, then formalize an implementation 
that uses such standard file system data structures as inodes and fixed-sized disk 
blocks. We verify the correctness of the implementation by proving the existence 
of a simulation relation between the specification and the implementation. 

The proof is expressed and checked in Athena, an interactive theorem-proving 
environment based on denotational proof languages (DPLs [3]) for first-order 
logic with sorts and polymorphism. Athena uses a Fitch-style natural deduction 
calculus, formalized via the abstraction of assumption bases. High-level idioms 
that arc frequently encountered in common mathematical reasoning (such as 
"pick any x and y • • • " or "assume P in ■ ■ • ") are directly available to the user. 
Athena also includes a higher-order functional language in the style of Scheme 
and ML and offers flexible mechanisms for expressing proof-search algorithms 
in a trusted manner (akin to the "tactics" and "tacticals" of LCF-likc systems 
suchasHOL [11]). 

The proof comprises 283 lemmas and theorems, and took 1.5 person- months 
of full-time work to complete. It consists of roughly 5,000 lines of Athena code, 
for an average of about 18 lines per lemma. It takes about 9 minutes to check on 
a high-end Pentium, for an average of 1.9 seconds per lemma. Athena seamlessly 
integrates cutting-edge automated theorem provers (ATPs) such as Vampire [21] 
and Spass [22] to mechanically prove tedious steps, leaving the user to focus on 
the interesting parts of the proof. Athena invokes Vampire and Spass over 2,000 
times during the course of the proof. That the proof is still several thousand 
lines long reflects the sheer size of the problem. For instance, we needed to prove 
12 invariants and there are 10 state-transforming operations, which translates 
to 120 lemmas for each invariant /operation pair (I, /), each guaranteeing that 
/ preserves /. Most of these lemmas are non-trivial; many require induction, 
and several require a number of other auxiliary lemmas. Further complicating 
matters is the fact that we can show that some of these invariants are preserved 
only if we assume that certain other invariants hold. In these cases we must 
consider simultaneously the conjunction of several invariants. The resulting for- 
mulas are several pages long and have dozens of quantified variables. We believe 
that Athena's combination of natural deduction, versatile mechanisms for proof 
abstraction, and seamless incorporation of very efficient ATPs were crucial to 
our ability to successfully complete a proof effort of this scale. 

To place our results in a broader context, consider that organizations rely 
on storage systems in general and file systems in particular to store critical 
persistent data. Because errors can cause the file system to lose this data, it is 
important for the implementation to be correct. The standard wisdom is that 
core system components such as file systems will always remain beyond the 
reach of full correctness proofs, leaving extensive testing — and the possibility 
of undetected residual errors — as the only option. Our results, however, suggest 
that correctness proofs for crucial system components (especially for the key 
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algorithms and data structures at the heart of such components) may very well 
be within reach. 

The remainder of the paper is structured as follows. Section 2 informally 
describes a simplified file system. Section 3 presents an abstract specification of 
the file system. This specification hides the complexity of implementation-specific 
data structures such as inodes and data blocks by representing files simply as in- 
dexable sequences of bytes. Section 4 presents our model of the implementation 
of the file system. This implementation contains many more details, e.g., the 
mapping from file names to inodes, as well as the representation of file contents 
using sequences of non-contiguous data blocks that are dynamically allocated on 
the disk. Section 5 presents the statement of the correctness criterion. This crite- 
rion uses an abstraction function [15] that maps the state of the implementation 
to the state of the specification. Section 5 also sketches out the overall strategy of 
the proof. Section 6 and Section 7 address the key role that invariants and proof 
tactics played in this project. Section 8 gives a flavor of our correctness proof by 
presenting a proof of a frame-condition lemma. Section 9 presents related work, 
and Section 10 concludes. The Appendix contains a description of the relevant 
parts of certain Athena libraries that were used in this project. 



2 A Simple File System 

In this section we describe the high-level structure of a simple file system. In 
Section 4 we present a formal model of such a file system. 

In our file system the physical media is divided into blocks containing a fixed 
number of bytes. The contents of a file are divided into block-sized segments, 
and stored in a series of blocks that are not necessarily consecutive. 

The file system associates each file with an inode, which is a data structure 
that contains information about the file, including the file size and which blocks 
contain the file data. Unlike actual UNIX file systems, the inodes in our system 
do not contain other information such as access privileges and time stamps. 

There is only one directory, the root directory, which maps file names to inode 
numbers. No two file names can refer to the same file, so no two file identifiers can 
map to the same inode number. We also assume that the disk is unbounded — the 
file system has access to an infinite number of inodes and blocks. 

To read a byte from a given file, the file system first looks up the file name in 
the root directory, and obtains the number of the corresponding inode. Assuming 
the file exists, the file system then looks up the inode. From the information in 
the inode, the file system determines if it is reading a byte that is within the 
bounds of the file size, and if so, which block contains the relevant byte. Finally, 
the file system reads the byte from that block and returns the value read. 

A similar look-up process occurs when writing a byte in a file. In this case, 
if the file system is writing a byte that is within the bounds of the existing file 
size, it simply stores the new value to the appropriate byte. Otherwise, the file 
system extends the file up to the index of the byte it is writing. It then stores 



4 Arkoudas, Zee, Kuncak, Rinard 

the appropriate value to the byte it is writing, and a default pad value to the 
bytes in between. 

Our formalization consists of a set of axioms in first-order logic with sorts, 
polymorphism, and structural induction. We use generic Athena libraries that 
contain axiomatizations of natural numbers, value options, finite maps, and re- 
sizable arrays; see the Appendix for a brief description of those libraries. 



3 Abstract specification of the file system 

Our specification is an abstract model of the file system that hides the com- 
plexity of data structures such as inodes and data blocks by representing files as 
indexable sequences of bytes. 

The specification uses the following sorts (the first two are introduced as new 
primitive domains, while the latter two are defined as sort abbreviations): 

sorts Byte, FilelD 

define File = RSArrayOf (Byte) 

define AbState = FMap(FileID, File) 

The sort Byte is an abstract type whose values represent the units of file content. 
FilelD is also an abstract type; its values represent file identifiers. We define File 
as a resizable array of Byte. The abstract state of the file system, AbState, is 
represented as a finite map from file identifiers (FilelD) to file contents (File). 
We also introduce a distinguished clement of Byte, called fillByte, which is used 
to pad a file in the case of an attempt to write at a position exceeding the file 
size: declare fillByte : Byte. 



3.1 Specification of the abstract read operation 

We begin by giving the signature of the abstract read operation, absRead: 

declare absRead : FilelD x Nat x AbState — > ReadResult 

Thus absRead takes a file identifier fid, an index i in the file, and an abstract 
file system state s; and returns an element of ReadResult. The latter is defined 
as the following datatype: 

datatype ReadResult — EOF 

| Ok (Byte) 

j FileNotFound 

Therefore, the result of any absRead operation is one of three things: EOF , if 
the index is out of bounds; FileNotFound, if the file does not exist; or, if all 
goes well, a value of the form Ok(v) for some byte v, representing the content of 
file fid at position i. More precisely, the semantics of absRead are given by the 
following three axioms: 
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[ARi] M fid i s. lookUp (fid, s) = NONE => read(fid, i, s) = FileNotFound 

[AR 2 ] V fid i s file. [lookUp (fid, s) = SOME(file) A array Fen (file) < i] => 

read(fid,i,s) = EOF 

[AR 3 ] Vfidisv file. [lookUp (fid, s) = SOME(file) A array Read (file, i) = SOME(v)\ 

=>read(fid,i,s) — Ok(v) 

Using the equality conditions for finite maps and resizable arrays, we are able 
to prove the following extcnsionality theorem for abstract states: 

V Si S2 ■ s\ = S2 •£► [V fid i . read(fid, i, s\) = read(fid, i, S2)]. (1) 

3.2 Specification of the abstract write operation 

The abstract write operation has the following signature: 

declare write : FilelD x Nat x Byte x AbState — ► AbState 

This is the operation that defines state transitions in our file system. It takes 
as arguments a file identifier fid, an index i indicating a file position, a byte v 
representing the value to be written, and a file system state s. The result is a 
new state where the contents of the file associated with fid have been updated by 
storing v at position i. Note that if i exceeds the length of the file in state s, then 
in the resulting state the file will be extended to size i + 1 and all newly allocated 
positions below i will be padded with the fillByte value. Finally, if fid does not 
correspond to a file in s, then an empty file of size i + 1 is first created and then 
the value v is written. More precisely, we introduce the following axioms: 

[AWi] Vfid iv s. lookUp (fid, s) = NONE =* 

write(fid,i, v, s) = update(s,fid, array Write(make Array (fillByte, i + l),i,v, fillByte)) 

[AW 2 ] Vfid iv sfile. lookUp (fid, s) = SOME(file) => 

write(fid,i,v, s) = update(s, fid, array Write(file,i,v, fillByte)) 

4 File system implementation 

Standard Unix file systems store the contents of each file in separate disk blocks, 
and maintain a table of structures called inodes that index those blocks and 
store various types of information about the file. Our implementation operates 
directly on the inodes and disk blocks and therefore models the operations that 
the file system performs on the disk. We omit details such as file permissions, 
dates, links, multi-layered directories, and optimizations such as caching. Some 
of these (e.g., permissions and date stamps) are orthogonal to the verification 
obligation and could be included with minimal changes to our proof, while others 
(e.g., caching) would likely introduce additional complexity. 

File data is organized in Block units. A Block is an array of blockSize bytes, 
where blockSize is a positive constant. Specifically, we model a Block as a finite 
map from natural numbers to Byte: 

define Block = FMap(Nat, Byte) 
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We also define a distinguished element of Block, called initialBlock , such that: 

Vi. i < blockSize => lookUp (i, initialBlock) = SOME(fillByte) 
V i . blockSize < i =>• lookUp (i, initialBlock) = NONE 

In other words, an initialBlock consists of blockSize copies of fillByte. 
File meta-data is stored in inodes: 

datatype INode = inode(fileSize : JVai, blockCount : Nat, blockList : FMap(Nat, Nat)) 

An INode is a datatype consisting of the file size in bytes and in blocks, and a 
list of block numbers. The list of block numbers is an array of the block numbers 
that contain the file data. We model this array as a finite map from natural 
numbers (array indices) to natural numbers (block numbers). 
The data type State represents the file system state: 

datatype State — stateiinodeCount : Nat, stateBlockCount : Nat, 
inodes : FMap(Nat, INode), blocks : FMap(Nat, Block), root : FMap(FileID, Nat)) 

A State consists of a count of the inodes in use; a count of the blocks in use; an 
array of inodes; an array of blocks; and the root directory. We model the array of 
inodes as a finite map from natural numbers (array indices) to INode (inodes). 
Likewise, we model the array of blocks as a finite map from natural numbers 
(array indices) to Block (blocks). We model the root directory as a finite map 
from FilelD (file identifiers) to natural numbers (inode numbers). 

We also define initialState , a distinguished clement of State, which describes 
the initial state of the file system. In the initial state, no inodes or blocks are in 
use, and the root directory is empty: 

declare initialState : State 

initialState = state(0,0, empty-map, empty-map, empty-map) 



4.1 Definition of the concrete read operation 

The concrete read operation, read, has the following signature: 

declare read : FilelD x Nat x State — * ReadResult 

The read 1 operation takes a file identifier fid, an index i in the file, and a concrete 
file system state s, and returns an element of ReadResult. It first determines if 
fid is present in the root directory of s. If not, read returns FileNotFound. 
Otherwise, it looks up the corresponding inode. If i is not less than the file size, 
read returns EOF. Otherwise, read looks up the block containing the data and 
returns the relevant byte. The following axioms capture these semantics (for ease 
of presentation, we omit universal quantifiers from now on; all variables can be 
assumed to be universally quantified): 



1 As a convention, we use bold italic font to indicate the abstract-state version of 
something: e.g., abstract read vs. concrete read, an abstract state s vs. a concrete 
state s, etc. 
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[CRi] lookUp (fid, root(s)) = NONE => read(fid, i, s) = FileNotFound 

[CR 2 ] [lookUp (fid, root(s)) = SOME(n) A 

lookUp (n, inodes(s)) = SOME(inode(fs, be, bl)) A (fs < i)] => read(fid, i, s) — EOF 

[CR 3 ] [lookUp (fid, root(s)) = SOME(n) A 

lookUp (n, inodes(s)) — SOME(inode(fs, be, bl)) A (i < fs) A 

lookUp (i div blockSize,bl) = SOME(bn) A lookUp (bn, blocks(s)) = SOME(block) A 

lookUp(i mod blockSize, block) = SOME(v)] =$• read (fid, i,s) — Ok(v) 

4.2 Definition of the concrete write operation 

The concrete write operation, write, takes a file identifier fid, a byte index i, the 
byte value v to write, and a state s, and returns the updated state: 

declare write : FilelD x Nat x Byte x State — > State 

[CWi] lookUp (fid, root(s)) = SOME(n) => write(fid, i, v, s) — writeExisting(n, i, v, s) 

[CW 2 ] let s' = allocINode(fid,s) in 

[lookUp (fid, root(s)) = NONE A lookUp (fid, root(s')) = SOME(n)} ^> 

write(fid, i, v, s) = writeExisting(n, i, v, s') 

If the file associated with fid already exists, write delegates the write to the helper 
function writeExisting . If the file does not exist, write first invokes allocINode, 
which creates a new, empty file, then calls writeExisting with the inode number 
of the new file. 

allocINode takes a file identifier fid and a state s, and returns an updated 
state: 

declare allocINode : FilelD x State — > State 

getNextlNode(s) = state(inc + 1, be, inm, bm, root) => 

allocINode (fid, s) = state(inc+ l,bc,inm,bm,update(root,fid,inc)) 

allocINode creates a new inode by invoking getNextlNode, then associates fid 
with the new inode. 

getNextlNode takes a state and returns an updated state. It allocates and 
initializes a new inode: 

declare getNextlNode : State — ► State 

getNextINode(state(inc, be, inm, bm, root)) = 

state(inc + 1, be, update(inm, inc, inode(0, 0, empty-map)), bm, root) 

writeExisting takes an inode number n, a byte index i, the byte value v to 
write, and a state s, and returns the updated state: 

declare writeExisting : Nat x Nat x Byte x State — » State 

[WE-i] [lookUp (n, inodes(s)) = SOME(inode) A 

(i div blockSize) < blockCount(inode) hi < fileSize(inode)} => 

writeExisting (n, i, v, s) = writeNoExtend(n, i, v, s) 

[WE 2 ] [lookUp (n, inodes(s)) = SOME(inode) A 

(i div blockSize) < blockCount (inode) A fileSize(inode) < i] => 

writeExisting (n, i, v, s) = writeSmallExtend(n, i, v, s) 

[WE 3 ] [lookUp (n, inodes(s)) = SOME(inode) A 

blockCount(inode) < (i div blockSize)] =^ 

writeExisting (n, i, v, s) = writeNoExtend(n, i, v, extendFile(n, i, s)) 
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If i is less than the file size, writeExisting delegates the writing to writeNo Extend, 
which stores the value v in the appropriate location. If i is not less than the 
file size but is located in the last block of the file, writeExisting delegates to 
writeSmallExtend, which stores the value v in the appropriate position and up- 
dates the file size. Otherwise, writeExisting first invokes extendFile, which ex- 
tends the file by the appropriate number of blocks, and then calls writeNoExtend 
on the updated state. 

writeNoExtend takes an inode number n, a byte index i, the byte value v to 
write, and a state s, and returns the updated state after writing v at index i: 

declare writeNoExtend : Nat x Nat x Byte x State — ► State 

[lookUp (n, inodes(s)) — SOME(inode) A 

lookUp(i div blockSize, blockList (inode)) — SOME(bn) A 

lookUp (bn, blocks(s)) = SOME(block)} => 

writeNoExtend(n,i,v,s) — updateStateBM (s,bn,update(block,i mod blockSize , v)) 

writeNoExtend uses the helper function updateStateBM . The function 
updateStateBM takes the state, the block number bn, and the block block, and 
returns an updated state where bn maps to block: 

declare updateStateBM : State x Nat x Block — ► State 

updateStateBM (state (inc, be, inm, bin, root), bn, block) = 

state(inc, be, inm, update(bm, bn, block), root) 

writeSmallExtend takes an inode number n, a byte index i, the byte value v 
to write, and a state. It updates the file size and writes the byte value v at byte 
index i for the file associated with the inode number n, and returns the updated 
state: 

declare writeSmallExtend : Nat x Nat x Byte x State —* State 

[lookUp (n, inm) = SOME(inode(fs, be, bl)) A 

lookUp(i div blockSize, bl) = SOME(bn) A 

lookUp (bn, bm) = SOME(block) Afs<i}^ 

writeSmallExtend (n, i, v, state(snc, sbc, inm, bm, root)) = 

state(snc, sbc, update(inm, n, inode(i + 1, be, bl)), 

update(bm,bn,update(block,i mod blockSize, v)), root) 

extendFile takes an inode number n, the byte index of the write, and the 
state s. It delegates the task of allocating the necessary blocks to ailocBlocks: 

declare extendFile : Nat x Nat x State — ► State 
[lookUp (n, inodes(s)) — SOME(inode) A blockCount (inode) < (j div blockSize)] =*> 
extendFile(n,j, s) = ailocBlocks (n, (j div blockSize) — blockCount(inode) + l,j, s) 

ailocBlocks takes an inode number n, the number of blocks to allocate, the 
byte index j, and the state s. We define it by primitive recursion: 

declare ailocBlocks : Nat x Nat x Nat x State — » State 

[ABi] ailocBlocks (n,Q, j, s) — s 

[AB2] [getNextBlock(s) = state(inc, be + 1, inm, bm, root) A 

lookUp(n,inm) = SOME(inode(fs,inbc,inbl))} => 

ailocBlocks (n, k + l,j, s) — ailocBlocks (n, k,j, state(inc, be + 1, 

update(inm, n, inode(j + 1, inbe + 1, update(inbl, inbe, bc))),bm, root)) 
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Fig. 1. The call graph of write. 



allocBlocks uses the helper function getNextBlock, which takes the state s, allo- 
cates and initializes the next free block, and returns the updated state: 

declare getNextBlock : State — > State 

getNextBlock (state(inc, bc,inm, bin, root)) = 

stateiinc, be + 1, inm, update(bm, be, initial Block), root) 

The call graph summarizing the write operation is shown in Figure 1. This 
call graph largely determines the auxiliary lemmas that need to be established 
every time we wish to prove a result about write. That is, whenever we need 
to prove a result L about write, we prove appropriate lemmas L\ and L2 
about allocINode and writeExisting. In turn, L\ will rely on a lemma In 
about getNextlNode and L2 will reference lemmas L21, £22, and L23 about 
writeN oExtend , writeSmallExtend, and extendFile, respectively; and so on. In 
this way we obtain a lemma dependency graph for L whose structure mirrors 
that of the call graph for write. 

In what follows we will restrict our attention to reachable states, those that 
can be obtained from the initial state by some finite sequence of write operations. 
Specifically, we define a predicate reachableN ("reachable in n steps") via two 
axioms: reachableN{s , 0) 4=>s = initialState , and 

reachableN(s, n + l)o3s' fid i v . reachableN(s' , n) A s = write(fid, i, v, s') 



We then set reachable(s) <=>3 n .reachableN \s,n). We will write State for the 
set of all reachable states, and we will use the symbol s to denote a reachable 
state. Propositions of the form V • • • s • • • . P(- ••?•••) and 3 • ■ • s"- • ■ . P(- • • s"- • • ) 
should be taken as abbreviations for V • • • s ■ ■ ■ . reachable(s) ==*> P(- ■ ■ s ■ ■ ■ ) and 
3 ■ ■ ■ s ■ ■ ■ . reachable(s) A P{- ■ ■ s ■ ■ ■), respectively. 
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5 The correctness proof 

5.1 State abstraction and homomorphic simulation 

This section presents a correctness criterion for the implementation. The cor- 
rectness criterion is specified using an abstraction function [15] that maps the 
state of the implementation to the state of the specification. 

Consider the following binary relation A from concrete to abstract states: 

V s s . A(s, s) 4^ [V fid i . read(fid, i, s) = read(fid, i, s)] 

It follows directly from the extensionality principle on abstract states (1) that 
A is functional: 

Vs si s 2 . A(s, si) A A(s, s 2 ) =*> 8i = s 2 . 

Accordingly, we postulate the existence of an abstraction function a : State — > 
Ab State such that: 

V s s . a(s) = s <=> A(s, s). 

That is, an abstracted state a(s) has the exact same contents as s: reading any 
position of a file in one state yields the same result as reading that position of 
the file in the other state. 



FilelD x Nat x State 



"V 



: ReadResult 



FilelD x Nat x AbState* 



FilelD x Nat x Byte x State «- State 



(XlXlXft 



FilelD x Nat x Byte x AbState wnte . AbState 



Fig. 2. Commuting diagrams for the read and write operations. 



A standard way of formalizing the requirement that an implementation X is 
faithful to a specification S is to express I and S as many-sorted algebras and 
establish a homomorphism from one to the other. In our case the two algebras 
are T = {FilelD , Nat, Byte, State; read, write) and 

S = (FilelD, Nat, Byte, AbState; read, write) 

The embeddings from 2 to S for the carriers FilelD, Nat, and Byte are simply 
the identity functions on these domains; while the embedding from State to 
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AbState is the abstraction mapping a. In order to prove that this translation 
yields a homomorphism we need to show that the two diagrams shown in Figure 2 
commute. Symbolically, we need to prove the following: 

V fid i s\ read (fid, i,Sf) = read(fid,i,a(s)) (2) 

and 

V fid i v 's.a(write(fid,i,v,'s)) = write(fid,i,v,a(s)) (3) 

5.2 Proof outline 

Goal (2) follows immediately from the definition of the abstraction function a. 
For (3), since the consequent is equality between two abstract states and we 
have already proven that two abstract states s\ and «2 are equal iff any abstract 
read operation yields identical results on Si and S2, we transform (3) into the 
following: 

V fid i v 's fid' j .read(fid' ,j,a(write(fid,i,v,'s))) = read(fid' \j,wri.te(fid,i,v,Ot(s))) 

Finally, using (2) on the above gives: 

V fid fid' i j v s". read(fid' ,j, write(fid,i,v,s)) = read(fid' ,j, write(fid,i,v, a(s))) 

Therefore, choosing arbitrary fid, fid ,j,v,i, and s', we need to show L = R, 
where L = read(fid ,i, write(fid,j,v,s)) and 

R = read(fid' , i, write(fid , j , v , a(s))) 

Showing L — R is the main goal of the proof. We proceed by a case analysis 
as shown in Fig. 3. The decision tree of Fig. 3 has the following property: if the 
conditions that appear on a path from the root of the tree to an internal node u 
are all true, then the conditions at the children of u arc mutually exclusive and 
jointly exhaustive (given that certain invariants hold, as discussed in Section 6). 
There are ultimately eight distinct cases to be considered, C\ through C%, ap- 
pearing at the leaves of the tree. Exactly one of those eight cases must be true 
for any given fid, fid , j, v, s and i. We prove that L = R in all eight cases. 

For each case C'i, i — 1, . . . , 8, we formulate and prove a pair of lemmas Mi 
and Mi that facilitate the proof of the goal L — R. Specifically, for each case Ci 
there are two possibilities: 

1. L = R follows because both L and R reduce to a common term t, with L = t 
following by virtue of lemma Mi and R — t following by virtue of lemma 

L R 




2. The desired identity follows because L and R respectively reduce to 
read (fid' ,i,s) and read(fid' ,i,a(s)), which are equal owing to (2). In this 
case, Mi is used to show L — read (fid' ,i,s) and Mi is used to show 
R = read(fid' , i, a(s)): 
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true 




lookUp (fid, rootis)) = NONE lookUp (fid, root(s)) = SOME(n) A 

lookUp (n, inodes(s)) — SOME(inode(fs, bc,bl)) 



i < J i > J 



c 2 




c 3 




1 < J i> 3 



C% Cr 



Fig. 3. Case analysis for proving the correctness of write. 

L R 

M^ /M, 

read ( fid' ,i,s)= read(fid' ,i,a(s)) 

by (2) 

The eight pairs of lemmas are shown in Figure 4. The "abstract-state" ver- 
sions of the lemmas ([Afj], i = 1, . . . , 8) are readily proved with the aid of Vam- 
pire from the axiomatizations of maps, resizable arrays, options, natural num- 
bers, etc., and the specification axioms. The concrete lemmas Mi are much more 
challenging. 

6 Reachability invariants 



Reachable states have a number of properties that make them "well behaved." 
For instance, if a file identifier is bound in the root of a state s to some inode 
number n, then we expect n to be bound in the mapping inodes(s). While this 
is not true for arbitrary states s, it is true for reachable states. In what follows, 
by a state invariant we will mean a unary predicate on states I(s) that is true 
for all reachable states, i.e., such that V s . I(s). 
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[Mi 

[M; 



read(fid,i,write(fid,i,v,s)) = Ok(v) 
read(fid, i, write(fid, i, v, s) = Ok(v) 



[Mi 
[Mi 



[lookllp (fid, root(s)) = NONE A i < j] =>• read(fid, i, write(fid, j, v,s)) — Ok(v) 
[lookllp (fid, s) — NONE A i < j] =£- read(fid, i, write(fid, j, v,s)) — Ok(v) 



[M :i 
[Mi 



[lookllp (fid, root(s)) - NONE A j < i] =$■ read(fid, i, write(fid, j,v,s)) = EOF 
[lookllp (fid, s) - NONE A j < i] => read(fid, i, write(fid, j, v,s)) - EOF 



[M 4 
[Mi 



[lookUp (fid, root(s)) = SOME(n) A 
lookllp (n, inodes(s)) = SOME(inode(fs, be, bl)) A i / j A j < fs] 
read(fid,i,write(fid,j,v,s)) = read(fid,i,s) 

[lookUp (fid, s) = SOME(A) A i / j A j < arrayLen(A)] => 
read(fid, i, write(fid, j, v,s)) = read(fid, i, s) 



[M t 

[M: 



[lookUp (fid, root(s)) = SOME(n) A 

lookUp (n, inodes(s)) = SOME(inode(fs, be, bl)) A fs < j f\i < /s] =>■ 

read(fid,i,write(fid,j,v,'s)) = read(fid,i,s) 

[lookUp (fid, s) = SOME(A) A arrayLen(A) < j A i < arrayLen(A)} 
read(fid, i, write(fid,j, v, s)) — read(fid, i, s) 



[M 6 
[Me 



[lookUp (fid, root(s)) = SOME(n) A 

lookUp (n, inodes(s)) = SOME(inode(fs, be, bl)) A fs < i A i < j] => 

read(fid,i,write(fid,j,v,s)) — Ok(fillByte) 

[lookUp (fid, s) = SOME (A) A array Len(A) < j A array Len(A) <iAi<j] 
read(fid,i,write(fid,j,v,s)) = Ok(fillByte) 



[Mi 

[M- 



[lookUp (fid, root(s)) = SOME(n) A 

lookUp (n, inodes(s)) = SOME(inode(fs, be, bl)) A fs < j A j < i] => 

read(fid,i, write(fid, j,v,s)) — EOF 

[lookUp (fid, s) = SOME(A) A arrayLen(A) < j A arrayLen(A) < i A j < i] 
read(fid, i, write(fid,j, v, s)) — EOF 



[Mi 
[M> 



fid 1 ^ fid 2 =>■ read(fid.2,i,wnte(fidi,j,v,s)) = read (fid 2 ,i,s) 
fid\ ^ fid 2 =>■ read(fid 2 , i, write(fid 1 ,j, v, s)) — read(fid 2 ,i, s) 



Fig. 4. Main lemmas 



There arc 12 invariants muo, . . . , invn, that are of particular interest. The 
proof relies on them explicitly, i.e., at various points in the course of the argument 
we assume that all reachable states have these properties. Therefore, for the 
proof to be complete, we need to discharge these assumptions by proving that 
the properties in question are indeed invariants. 

The process of guessing useful invariants — and then, more importantly, try- 
ing to prove them — was very helpful in strengthening our understanding of the 
implementation. More than once we conjectured false invariants, properties that 
appeared reasonable at first glance but later, when we tried to prove them, 



14 Arkoudas, Zee, Kuncak, Rinard 

turned out to be false. For instance, a seemingly sensible "size invariant" is that 
for every inode of size fs and block count be we have 

fs = [(be — 1) • blockSize] + (fs mod blockSize) 

But this equality does not hold when the file size is a multiple of the block count. 
The proper invariant is 2 

[fs mod blockSize = =>■ fs = be ■ blockSize] A 
[fs mod blockSize ^ => fs = ((be — 1) • blockSize) + (fs mod blockSize)] 

where div denotes integer division. For any inode of file size fs and block count 
be, we will write szlnv(fs, be) to indicate that fs and be arc related as shown by 
the above formula. 

Figure 5 presents the twelve reachability invariants for our file system imple- 
mentation. In the sequel wc focus on the first four invariants, invo,invi,inv2,in,V3. 
These four invariants are fundamental and must be established before anything 
non-trivial can be proven about the system. They are also co-dependent, mean- 
ing that in order to prove that an operation preserves one of them, say invj, 
we often need to assume that the incoming state not only has invj but also one 
or more of the other three invariants. For instance, we cannot prove that write 
preserves invz, i.e., that 

V i v s . invs(s) =>■ inv^(write(fi,d, i, v, s)) 

unless we also assume that s has invo- Or suppose we want to prove that 
writeExisting preserves any of the four invariants, say invo, so that our goal 
is to show invo(writeExisting(n,i,v, s)) on the assumptions 

lookUp(n, inodes(s)) — SOME(inode(fs, be, bl)) (4) 

and 

invo(s) (5) 

Consider the case 

be < i div blockSize, 

whereby writeExisting (n,i,v,s) returns 

writeNoExtend(n, i, v, extendFile(n, i, s)). 

Since writeN oExtend is conditionally defined, we need to show that its three 
preconditions are satisfied in the intermediate state s\ — extendFile(n, i, s). It 
is easy enough to show that the first precondition holds, i.e., that 

lookUp(n, inodes(si)) = SOME(inode(fs 1 , bci, bli)) 

for some /s l7 be i, and bl\, this follows from (4) and an auxiliary lemma stat- 
ing that extendFile preserves the invariant I(s) = inDom(n, inodes(s)) (for 



This invariant is equivalent to be — (fs + blockSize — 1) div blockSize. 
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invo (s) : [lookUp (fid, root(s)) — SOME(n)] => inDom(n, inodes(s)) 

invi (s) : [lookUp (n, inodes(s)) — SOME(mode(fs , be, bl))] =>• 
[inDom(k, bl) <4>fc < be] 

iriV2 (s) : [lookUp (n, inodes(s)) — SOME(tnode) A 

lookUp (bn, blockList(inode)) = SOME(bn')] =$• 
inDom(bn' , blocks(s)) 

invz (s) : [lookUp (n, inodes(s)) = SOME(inode(fs, be, bl))] =>■ szlnv(fs, be) 

invi (s) : inDom(bnum, blocks (s)) <^> bnum < stateBlockCount(s) 

invs (s) : inDom(nodeNum,inodes(s)) -^nodeNum < inodeCount(s) 

inve (s) : [lookUp (nodeNum , inodes(s)) — SOME(inode(fs, be, bl)) A be = 0] 

inv-j (s) : [fid 1 7^ fid 2 A 

lookUp (fid lt root (s)) = SOME(nodeNum!) A 
lookUp(fid 2 , root(s)) = SOME(nodeNum2)] 
=>■ nodeNumi 7^ nodeNum?, 

inv$ (s) : [lookUp (nodeNum , inodes(s)) — SOME(node) A 
lookUp(k, blockList(node)) = SOME(bnum) A 
lookUp (bnum, blocks (s)) = SOME(block)] =>■ 
(inDom(j, block) <3-j< blockSize) 

invg (s) : [lookUp (nodeNum 1, inodes(s)) = SOME(nodei) A 
lookUp (nodeNum-2, inodes(s)) — SOME(node2) A 
lookUp(k\, blockList(nodei)) — SOME(bnumi) A 
lookUp(k2, blockList(nodei)) — SOME(bnum,2) A 
nodeNumi 7^ node./Vum2] 
=>■ bnumi 7^ bnun%2 

invio(s) : [lookUp (nodeNum, inodes(s)) — SOME(node) A 
lookUp (ki, blockList(node)) = SOME(bnurni) A 
lookUp (/c2, blockList(node)) = SOME(bnum,2) A 
fci / fa] 

=>■ bnumi =/= bnun%2 

invn(s) : [lookUp (nodeNum , inodes(s)) — SOME(inode(fs, be, bl)) A 
i dw blockSize < be A fs<iA 
lookUp (i div blockSize, bl) = SOME(bnum) A 
lookUp (bnum, blocks(s)) - SOME(block)] =>• 
lookUp (i mod blockSize, block) — SOME(fillByte) 



Fig. 5. Reachability Invariants 
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fixed inode number n). However, it is more challenging to show that the two 
remaining preconditions hold, i.e., that there exist bn\ and block\ such that 
lookUp(i div blockSize, bl\) — SOME(bni) and 

lookUp(bn u blocks{si)) = SOME(blocki). 

But these would follow immediately if we could show that si has inv\ and invi 
and that i div blockSize < bc±. Showing that s\ has inv\ and invi would also 
follow immediately if we strengthened our initial hypothesis (5) by additionally 
assuming that s has inv± and inv<i, provided we have shown elsewhere that 
extendFile preserves both of these invariants. However, showing i div blockSize < 
bc\ presupposes that s\ has inv^. Consequently, we are led to assume that the 
original state s has all four invariants. Provided we have already shown that 
extendFile preserves each of the four invariants, it then follows that s\ has all 
four of them, and hence that the preconditions of writeNoExtend hold. 



6.1 Proving invariants 

Showing that a unary state property I(s) is an invariant proceeds in two steps: 

1. proving that / holds for the initial state, I(so); and 

2. proving V fid i v s . I(s) =£- 1 (write (fid, i, v, s)). 

Once both of these have been established, a routine induction on n will show 
that 

V n s . reachableN(s, n) => I(s). 

It then follows directly by the definition of reachability that all reachable states 
have /. 

Proving that the initial state has an invariant inVj is straightforward: in 
all twelve cases it is done automatically. The second step, proving that write 
preserves invj, is more involved. Including write, the implementation comprises 
ten state-transforming operations, 3 and control may flow from write to any one of 
them. Accordingly, we need to show that all ten operations preserve the invariant 
under consideration. This means that for a total of ten operations /o, . . . , fg and 
twelve invariants invo, . . . , invn, we need to prove 120 lemmas, each stating that 
fi preserves invj. 

Most of the operations fi are defined conditionally, in the form 

M x, y i .PC i (x l ,y l ) =4>/j(xj) = ••• 

where Xi, yi arc lists of distinct variables; PCi(xi,yi), the "precondition" of 
fi, is usually a conjunction of equations in the variables Xi and yi (if fi is not 
defined conditionally then this can be regarded as the empty conjunction, i.e., 



3 By a "state-transforming operation" we mean one that takes a state as an argument 
and produces a state as output. There are ten such operations, nine of which are 
auxiliary functions (such as extendFile) invoked by write. 
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as the constant true). Therefore, each of the 120 invariant-preservation lemmas 
is of the form 

V x, y t s. [PCi(xi,yi) A I(s)} =$> inv J (f i (x l )) (6) 

for i = 0, . . . , 9 and j = 0, . . . , 11, and where I(s) is of the form invj(s) A invi ± A 
• • • A invi k where k > and i r € {0, 1, . . . , 11} for 1 < r < k. 

The large majority of the proof text (about 80% of it) is devoted to proving 
these lemmas. Some of them are surprisingly tricky to prove, and even those that 
are not particularly conceptually demanding can be challenging to manipulate, 
if for no other reason simply because of their volume. Given the size of the func- 
tion preconditions and the size of the invariants (especially in those cases where 
we need to consider the conjunction of several invariants at once), an invariance 
lemma can span multiple pages of text. Proof goals of that scale test the limits 
even of cutting-edge ATPs. For instance, in the case of a proposition P that 
was several pages long (which arose in the proof of one of the invariance lem- 
mas), Spass took over 10 minutes to prove the trivial goal P => P', where P' was 
simply an alphabetically renamed copy of P (Vampire was not able to prove it 
at all, at least within 20 minutes). Heavily skolemizing the formula and blindly 
following the resolution procedure prevented these systems from recognizing the 
goal as trivial. By contrast, using Athena's native inference rules, the goal was 
derived instantaneously via the two- line deduction assume P in claim P', be- 
cause Athena treats alphabetically equivalent propositions as identical and has 
an efficient implementation of proposition look-ups. This speaks to the need 
to have a variety of reasoning mechanisms available in a uniform, integrated 
framework. 

There are many additional lemmas that were used in proving the invariants 
or in proving other results after all twelve invariants had already been proven. 
We mention two typical ones: 

Lemma 1. If fid 1 ^ fid 2 and 

lookUp{fid 2 , root (is)) = x 
then lookUp(fid 2l root(write(fid ll i, v ,s))) = x. 
Lemma 2. // lookUp (n, inodes(s)) = SOME(inodei) and 

lookUp{n, inodes(allocBlocks(n,k, j, s))) = SOME(inode2) 
then blockCount(inode2) — blockCount(inodei) + k. 

7 Proof automation with tactics 

After proving a few invariance lemmas for some of the operations it became 
apparent that a large portion of the reasoning was the same in every case and 
could thus be factored away for reuse. 
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Athena makes it easy to abstract concrete proofs into natural-deduction proof 
algorithms called methods. For every state-transforming operation /, we wrote a 
"preserver" method Pj that takes an arbitrary invariant / as input (expressed as 
a unary function that takes a state and constructs an appropriate proposition) 
and attempts to prove the corresponding invariance lemma. 

Vx iyi s. [PCi(xi, yi) A /(*)] => I(fi( Xi )) (7) 

Pi encapsulates all the generic reasoning involved in proving invariants for fi . If 
any non-generic reasoning (specific to /) is additionally required, it is packaged 
into a proof continuation K and passed into Pi as a higher-order method argu- 
ment. Pi can then invoke K at appropriate points within its body as needed. Sim- 
ilar methods for other functions made the overall proof substantially shorter — 
and easier to develop and to debug — than it would have been otherwise. 

Consider, for example, proving that allocBlocks preserves a certain property 
/. This is always done by induction on k, the number of blocks to be allocated. 
Performing the base inductive step automatically, managing the inductive hy- 
pothesis, proving that the relevant precondition involving getNextBlock is satis- 
fied in the context in which allocBlocks is called, deriving useful consequences 
of that fact, etc., these are all standard tasks that are repetitively performed 
regardless of /; we have abstracted all of them away in a higher-order method 
that accepts the /-specific reasoning as an input method. 

Proof programmability was useful in streamlining several other recurring pat- 
terns of reasoning, apart from dealing with invariants. A typical example is this: 
given a reachable state s, an inode number n such that lookUp (n, inodes(s)) = 
SOME(inode{fs, be, bl)), and an index i < fs, we often need to prove the exis- 
tence of bn and block such that lookUp (i div blockSize, bl) = SOME(bn) and 

lookUp (bn, blocks (s)) = SOME(block) 

The reasoning runs as follows: first, from the reachability of s, we infer that 
it has certain invariants, including invo, invi, inv2, and inv$. From these in- 
variants, the assumption i < fs, and standard arithmetic laws we may deduce 
(i div blockSize) < be. From this, our initial assumptions, and invi, we conclude 
that i div blockSize is in the domain of the mapping bl. Thus the existence of 
an appropriate bn is ensured, and along with it, owing to inv2, the existence 
of an appropriate block. We packaged this reasoning in a method find-bn-block 
that takes all the relevant quantities as inputs, assumes that the appropriate 
hypotheses are in the assumption base, and performs the appropriate inferences. 
The method also accepts a proof continuation K that is invoked once the goal 
has been successfully derived. 

Another example is a slight extension of this method, named 
find-bn-block-val, that operates under the same assumptions but, in addi- 
tion to a block number and the block itself, yields a value v such that 
lookUp (i mod blockSize , block) = SOME(v), which is possible because 
i mod blockSize < blockSize. Yet another example of a streamlined proof 
method is an inductive method showing that an invariant holds for all reachable 
states. 
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8 A sample lemma proof 

In this section we will prove lemma [Ms], which can be viewed as a frame con- 
dition: it asserts that performing a write operation on a given file leaves the 
contents of every other file unchanged. More specifically, let fid 1 refer to the 
file to be written, let fid 2 be any file identifier distinct from fid l , let s be any 
reachable state, and let s' be the state obtained from s by writing some value 
into some byte position of fid 1 . Then [Ms] says that reading any byte of fid 2 in 
s' yields the same result as reading that byte in s. 

The proof relies on four auxiliary lemmas about write, given below. Lem- 
mas (8) and (9) handle the case when fid 1 (the file to be written) already exists 
in s, while (10) and (11) apply to the case when fid 1 is unbound in the root of 
s. As usual, all the variables are assumed to be universally quantified. 

[lookUp(iii, inodes(s)) — SOME(inodei) A n / n\ A 

lookUp(bn, blockList^noda)) = SOME(bn') A 

lookUp (bn', blocks(s)) = SOME (blocks) A lookUp (fid, root(s)) = SOME(n)] => (8) 

lookUp (ni,inodes(write(fid,i,v,s))) — SOME(inodei) A 

lookUp (bn 1 , blocks (write(fid,i,v,s))) — SOME(block±) 

[lookUp (ni,inodes(s)) = SOME(inodei) An/niA 

lookUp (fid, root(s)) = SOME(n)] ^ (9) 

lookUp (m,inodes(write(fid,i,v, s))) — SOME(inodei) 

[lookUp(ni, inodes(s)) — SOME(inodei) A 

lookUp(bn, blockList(inode{)) = SOME(bn') A 

lookUp (bn', blocks(s)) = SOME(blocki) A lookUp (fid, root(s)) = NONE] =*- (10) 

lookUp(m, inodes(write(fid,i,v,s))) = SOME(tnodei) A 

lookUp (bn' , blocks (wnte(fid,i,v,s))) = SOME(blocki) 

[lookUp (m, inodes(s)) = SOME(inodei) A lookUp (fid, root(s)) = NONE] =4- , . 
lookUp (ni,inodes (write (fid, i,v,s))) — SOME(inodei) 

In turn, each of the above four lemmas about write relies on a number of other 
lemmas about the various operations in the call graph of write (see the relevant 
remarks in Section 4) . Wc will state those lemmas after we present the proof of 
[M s ]. 

We next present a natural-deduction style proof of [M§] to give the reader 
an idea of the abstraction level at which Athena proofs are written. We believe 
that the said level is roughly equivalent to the level at which a formally trained 
computer scientist would communicate the proof to another computer scientist of 
a similar background. The proof is rigorous and thorough, but does not descend 
to the level of primitive inference rules (such as introduction and elimination 
rules for the logical connectives or congruence rules for equality); the applications 
of such rules are fairly tedious steps that are filled in by Vampire. The overall 
proof is guided by constructs such as "pick any • • • " , "assume that such and 
such holds" , "we distinguish two cases" , "from Pi , P 2 and P3 we infer P" , and 
so on. 

The proof of [M§] is given below in English, but the level of detail and the 
overall structure of the argument arc isomorphic to those of the formal Athena 
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deduction (for instance, the formal Athena proof runs to 120 lines, whereas the 
English proof below is about 64 lines) . 

Lemma 3 ([Ms]). If fid 1 ^ fid 2 then read(fid 2 ,i,write(fid 1 ,j,v,s)) = 
read(fid 2 , i,s)- 

Proof. Pick arbitrary fid l ,fid 2 , i, j, v, and s", and suppose that 

fid 1 ^fid 2 . (12) 

We will prove the goal 

read(fid 2 ,i, write(fid ll j, v,s)) = read (fid 2 ,i,s) (13) 

by distinguishing two (mutually exclusive and jointly exhaustive) cases: 

lookUp (fid 2 , root(s)) = NONE (14) 

and 

3 n 2 . lookUp (fid 2 , root(s)) = SOME(n 2 ). (15) 

If fid 2 is unbound in root(s) (case (14)), then, by the definition of read, we have 

read(fid 2 ,i,s) — FileNotFound. (16) 

By Lemma 1, (12), (14), and the reachability of s"we conclude 

lookUp (fid 2 , root (write (fid 1 J, v,s))) = NONE (17) 

and therefore again by the definition of read we infer 

read(fid 2 ,i,write(fid 1 ,j,v,s)) — FileNotFound (18) 

and hence (13) follows from (16) and (18). We now consider case (15), whereby 

lookUp (fid 2 , root(s)) = SOME(n 2 ) (19) 

for some inode number n 2 . Since s is reachable, it has invo, so that 

lookUp (n 2l inodes(s)) = SOME(inode(fs 2 , bc 2 , 6/2)) (20) 

for some fs 2 , bc 2l and bl 2 . Moreover, we note that by Lemma 1, (19), (12), and 
the reachability of s, we have 

lookUp (fid 2 , root (write (fid 1 , j,v,s))) = SOME{n 2 ). (21) 

We proceed by distinguishing two cases, i < fs 2 and fs 2 < i. Suppose first 
that i < fs 2 . In that case it becomes evident by inspection that all the precon- 
ditions of method find-bn-block-val are satisfied: s" has the required invariants 
because it is reachable; n 2 is mapped by the inode mapping of s" to the inode 
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comprising fs 2 , bc 2 , and bl 2 ; and i < fs 2 . Therefore, we are able to prove that 
there exist bri2, blocks, and v 2 such that 

lookUp (i div blockSize, bl 2 ) = SOME(bn 2 ) (22) 

lookUp(bn 2 , blocks(s)) = SOME(block 2 ) (23) 

and 

lookUp(i mod blockSize, block 2 ) = SOME(v 2 ). (24) 

It now follows from (19), (20), the assumption i < fs 2 , (22), (23), (24), and the 
definition of read that 

read (fid 2 ,i,s) = Ok(v2) (25) 

and therefore our goal (13) becomes reduced to proving 

read(fid 2 ,i, write(fid 1 , j,V,s)) = Ok(v 2 ). (26) 

We establish (26) by considering two subcases. First, suppose that fid 1 is 
unbound in the root of s, i.e., 

lookUp (fid-L, root(s)) = NONE. (27) 

Then by (27), (20), (22), (23), the reachability of s and Lemma (10), we conclude 

lookUp (n 2 , inodes(write(fid 1 , j,v,s))) = . . 

SOME(inode(fs 2 ,bc 2 ,bl 2 )) ( ' 

and 

lookUp (bn 2 , blocks (write (fid 1; j,v,s))) = SOME (block 2 ). (29) 

Accordingly, by the definition of read, (21), (28), the assumption i < fs 2 , (22), 
(29), and (24), we obtain the desired (26). 
Now suppose, by contrast, that 

lookUp (fid!, root(s)) = SOME( ni ) (30) 

for some inode number n\. Since s is reachable, it has the invariant invj, so from 
(30), (19), and (12) we conclude 

ni ^ n 2 . (31) 

From (8), the reachability of s", (20), (31), (22), (23), and (30) we can now again 
derive (28) and (29). Hence, by the definition of read, (21), (28), the assumption 
i < fs 2 , (22), (29), and (24) we obtain (26). 

We finally consider the possibility fs 2 < i. In that case the definition of read 
in tandem with (19) and (20) entails 

read(fid 2 ,i,s) = EOF. (32) 

As before, we again distinguish two subcases, according to whether or not fid x 
is bound in the root of 's, and we use lemmas (9) and (11), respectively, to infer 
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(28). In combination with (21), it follows from the definition of read that in 
cither case we have 



read(fid 2 ,i, write (fid 2,j,v,s)) — EOF (33) 



and the desired equality now follows from (32) and (33). This completes our case 
analysis and the proof. □ 



Finally, we list below the remaining lemmas needed for lemmas (8), (9), 
(10), and (11). 



writeSmallExtendPreservesINodeAndBlockMaps: 

[lookl/p (n\ , inodes(s)) = SOME(inodei) An 7^ n\ A 
lookUp(k, blockList(inodei)) = SOME(bm) A 
lookUp (bni, blocks (s)) — SOME(blocki) A invio(s) 
lookUp (n, inodes(s)) = SOME(mode(fs, be, bl)) A 
lookUp(i div blockSize, bl) = SOME(bn) A 
lookUp (bn, blocks(s)) = SOME(block) Afs<i}=> 
lookUp(ni,inodes(writeSmallExtend(n,i,v,s))) — SOME(inodei) 
lookUp(bn\, blocks (wnteSmallExtend(n,i,v,s))) — SOME(blocki) 

writeSmallExtendPreservesINodeMap: 

[look(Jp(ni, inodes(s)) = SOME(inodei) A n / ni A 

lookUp (n, inodes(s)) = SOME(mode(fs, be, bl)) A 

lookUp {i div blockSize, bl) = SOME(bn) A 

lookUp (bn, blocks (s)) = SOME(block) Afs <i}^> 

lookUp (ni,inodes(writeSmallExtend(n,i,v,s))) — SOME(inodei) 

writeNoExtendPreservesINodeAndBlockMaps: 

[lookUp(ni, inodes(s)) = SOME(inodei) An/niA 

lookUp(k, blockList(inode\)) = SOME(bm) A 

lookUp (bni, blocks (s)) — SOME(blocki) A invio(s) 

lookUp (n, inodes(s)) = SOME(inode) A 

lookUp (i div blockSize, blockList(inode)) — SOME(bn) A 

lookUp (bn, blocks (s)) = SOME(block)} ^ 

lookUp(ni, inodes(writeNoExtend(n,i,v,s))) — SOME(inodei) 1 

lookUp(bn\, blocks (writeNo Extend (n,i,v,s))) — SOME(blocki) 

writeNoExtendPreservesINodeMap : 

[lookUp(ni, inodes(s)) = SOME(inodei) An/ni A 

lookUp (n, inodes(s)) = SOME(mode) A 

lookUp (i div blockSize, blockList(inode)) — SOME(bn) A 

lookUp (bn, blocks (s)) = SOME(block)} ^ 

lookUp (ni,inodes(writeNoExtend(n,i,v,s))) — SOME(inodei) 
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allocBlocksPreservesINodeAndBlockMaps: 

[lookUp(ni, inodes(s)) = SOME(inodei) A n / iii A 

inDom(n, inodes(s)) A inV4(s) A 

lookUp (bn, blockList(inodei)) = SOME(bn') A 

lookUp (bn', blocks(s)) = SOME(block)] => 

lookllp (m, inodes(allocBlocks(n, k,fs, $))) — SOME(inodei) A 

lookUp(bn', blocks (allocBlocks(n, k, fs, s))) — SOME(block) 

allocBlocksPreservesINodeMap: 

[lookUp(ni, inodes(s)) = SOME(inodei) A n / ni A 
inDom(n, inodes(s))] =>• 
lookUp(ni,inodes(allocBlocks(n,k,fs,s))) — SOME(inodei) 

extendFilePreservesINodeAndBlockMaps: 

[lookUp(ni, inodes(s)) = SOME(inodei) A n / ni A 

inDom(n, inodes(s)) A im>4(s) A 

lookUp(bn, blockList(inode!)) = SOME(bn') A 

lookUp(bn', blocks(s)) = SOME(block)] => 

lookUp (ni , inodes(extendFile(n,i,s))) — SOME(inodei) A 

lookUp (bn' , blocks(extendFile(n, i, s))) — SOME(block) 

extendFilePreservesINodeMap: 

[lookUp(rii, inodes(s)) = SOME(inodei) An/niA 

inDom(n, inodes(s))] => 

lookUp (m, inodes(extendFile(n, i, s))) — SOME(inodei) 

writeExistingPreservesINodeAndBlockMaps: 

[invi(s) A inv2(s) A mv3(s) A W4(s) A mvio(s) 

lookUp (ni, inodes(s)) = SOME(inodei) A 

n/niA lookUp (bn, blockList(inodei)) = SOME(bn') A 

lookUp (bn', blocks(s)) = SOME(bloch) A 

lookUp (n, inodes(s)) — SOME(inode(fs, be, bl))] =^> 

lookUp (ni, inodes(writeExisting(n, i, v, s))) = SOME(vnode\) A 

lookUp (bn' , blocks (writeExisting(n,i,v,s))) = SOME(blocki) 

writeExistingPreservesINodeMap: 

[invi(s) A iritis) A ini>3(s) An/ni 

lookUp (m,inodes(s)) = SOME(inodei) 

lookUp (n, inodes(s)) — SOME(inode(fs, be, bl))] =*■ 

lookUp (ni, inodes(wmteExisting(n, i, v, s))) = SOME(inodei) 



9 Related work 

Techniques for verifying the correct use of file system interfaces expressed as finite 
state machines are presented in [9, 10, 8, 2]. In this paper we have addressed the 
more difficult problem of showing that the file system implementation conforms 
to its specification. Consequently, our proof obligations are stronger and we have 
resorted to more general deductive verification. Static analysis techniques that 
handle more complex data structures include predicate abstraction and shape 
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analysis [19,18,14,6]. These approaches are promising for automating proofs 
of program properties, but have not been used so far to show full functional 
correctness, as we do here. Security properties of a Unix file system are studied 
in [23, Chapter 10]; these properties are orthogonal to the correct functioning 
of a file system for storing and reading data. A sample specification of a widely 
used file system is [1]. Simple abstract models of file systems have also been 
developed in Z [24, Chapter 15]. 

Alloy [12] is a specification language based on a first-order relational calculus 
that has been used to describe the directory structure of a file system (but 
without modelling read and write operations). The Alloy Analyzer is a model 
finder for Alloy specifications that can be used to check structural properties of 
file systems in finite scope. The use of Alloy is complementary to proofs [4] . Alloy 
is useful for debugging, whereas our proofs ensure that the refinement relation 
holds for any number of files, any file sizes, and all sequences of operations. In 
addition, readable, high-level proofs can be viewed as explanations of why the file 
system implementation is correct, and therefore provide guidance to developers 
on how to modify the system in the future while preserving its correctness. 

It is interesting to consider whether the verification burden would be lighter 
with a system such as PVS [17] or ACL2 [13] that makes heavy use of automatic 
decision procedures for combinations of first-order theories such as arrays, lists, 
linear arithmetic, etc. We note that our use of high-performance off-the-shelf 
ATPs already provides a considerable degree of automation. In our experience, 
both Vampire and Spass have proven quite effective in non-inductive reasoning 
about lists, arrays, etc., simply on the basis of first-order axiomatizations of the 
these domains. Our experience supports a recent benchmark study by Armando 
et al. [5] , which showed that a state-of-the-art paramodulation-based prover with 
a fair search strategy compares favorably with CVC [7] in reasoning about arrays 
with extensionality. 

10 Conclusions 

We have presented a correctness proof for the key operations (reading and writ- 
ing) of a file system based on Unix implementations. We are not aware of any 
other file system verification attempts dealing with such strong properties as the 
simulation relation condition, for all possible sequences of file system operations 
and without a priori bounds on the number of files or their sizes. Despite the ap- 
parent simplicity of this particular specification and implementation, our proofs 
shed light on the general kinds of reasoning that would be required in estab- 
lishing full functional correctness for any file system. Our results suggest that a 
combination of state-of-the art formal methods techniques greatly facilitates the 
deductive verification of crucial software infrastructure components such as file 
systems. 

We have found Athena to be a powerful framework for carrying out a com- 
plex verification effort. Polymorphic sorts and structures allow for natural data 
modelling; strong support for structural induction facilitates inductive reasoning 
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over such datatypes; a block-structured natural deduction format helps to make 
proofs more readable and writable; a higher-order functional metalanguage and 
assumption base semantics allow for powerful trusted proof tactics; and the use 
of first-order logic allows for smooth integration with state-of-the-art first-order 
ATPs, keeping the proof steps at a high level of detail. Our use of these features 
was essential in dealing with the strong properties arising from the simulation 
relation condition, where most of the complexity stems from the details of un- 
bounded data structures. 

Acknowledgements. We thank Darko Marinov and Alexandru Salcianu for 
useful comments on an earlier version of this manuscript. 
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A Some standard Athena libraries 

A.l Options 

Options in Athena are represented as follows: 

datatype Option(S) = NONE \ SOME(S) 

Here S is a sort parameter. Thus Option can be viewed as a sort constructor 
that takes an arbitrary sort S and builds a new sort, Option(S). 

Datatypes in Athena are free algebras with corresponding induction princi- 
ples. For instance, the following axioms are automatically generated from the 
above definition: 

V x : Option(S) . x = NONE V [3 v : S . x = SOME(v)] (34) 

V v : S . NONE / SOME{v) (35) 

V vi : S, v 2 : S . SOME{ Vl ) = SOME(v 2 ) ^vi=V 2 (36) 

Note that in the above axioms we annotated quantified variables with their sorts 
for readability purposes. In practice Athena uses a Hindlcy-Milncr algorithm to 
infer the most general possible sorts of quantified variables, so such annotations 
are not necessary; we omit them in the remainder of this Appendix. 

Structural induction may be performed on datatypes using a built-in syntax 
form that Athena offers for that purpose, and which automates much of the 
tedium associated with inductive proofs (e.g., managing inductive hypotheses in 
multiply nested inductive arguments). 
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A. 2 Finite maps 

Polymorphic finite maps are introduced in Athena as follows: 

structure FMap(D,R) = empty-map | update(FMap(D, R), D, R) 

Here D and R are sort parameters, representing the sorts of the domain and the 
range of the map, respectively. The declaration states that every finite map from 
D to R is either the empty-map or else it is of the form update(m,x,v), i.e., it 
is an update of some other map to, obtained by binding the argument x to the 
value v (potentially overwriting whatever assignment x might have had in to) . 
Like data types, structures are inductively generated: axioms of the form (34) 
are valid for structures, and induction may be performed on them. However, 
structures are not necessarily freely generated (elements are not "uniquely read- 
able"), hence Athena does not generate axioms such as (36) for structures. 
We introduce two additional useful function symbols for finite maps: 

lookllp : D x FMap(D, R) -> Option(D) 
inDorn : D x FMap{D, R) — > Boolean 

whose semantics are captured by the following four axioms: 

[Mi] V x . lookllp (x, empty-map) = NONE 

[M2] Vm m . lookUp(x,update(rn,x,v)) — SOME(v) 

[M3] yxyvm.x^y^ lookUp(x, update (m,y,v)) — lookllp (x,m) 

[M 4 ] Vim. inDom(x, m)«[3». lookllp (x, m) = SOME(v)} 

We also have an extcnsionality axiom for finite maps: 

[FMExt] V toi TO2 . [V x . lookllp (x, toi) = lookllp (x, TO2)] =£- mi = TO2 

A. 3 Resizable arrays 

Resizable arrays are inductively generated by the following structure: 

structure RSArray(S) ~ makeArray(S, Nat) 

I array : Write(RSArray(S), Nat, S,S) 

That is, a resizable array is either of the form makeArray{x 1 n), which is a freshly 
constructed array of length n with the element x in every location from to n — 1 ; 
or else it is of the form arrayWrite(A,i,x, /), i.e., obtained from an already 
existing array A by writing the value x into slot i. Hi happens to be outside the 
bounds of A (i.e., arrayLen(A) < i), then the length will increase to i + 1, the 
value x will be written into the i position of this extended array, and all the 
other newly allocated slots will be padded with the "fill" value /. This is made 
more clear in the axioms of Figure 6. Two additional useful functions are: 

arrayLen : RSArray(S) — > Nat 

arrayRead : RSArray(S) x Nat — > Option(S) 

Their semantics are captured by the nine axioms [Ai] — [Ag] shown in Figure 6. 
Finally, we have an extensionality axiom for arrays: 

[RSAExt] V A\ Ai . [V i . array Read (A\,i) = array Read (A2, «)] =>^4i = A2. 
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[Ai] V A n . arrayLen(makeArray (A, n)) = n 

[A2] V A i v f .[i < arrayLen(A)] =>■ arrayLen(arrayWrite(A, i, v, /)) = arrayLen(A) 

[A3] V A i v f . -1 [i < arrayLen(A)] =£- array Len (array Write( A, i, v, /)) = i + 1 

[i4 4 ] VAi.n [i < arrayLen(A)] =>• arrayRead(A, i) - NONE 

[A5] Vi n i.i < n^> array Read (make Array (x,n),i) = SOME(x) 

[A 6 ] V Ai v f . array Read (array Write(A, i, v, /),«) = SOME(v) 

[A7] V A i v f .i < arrayLen(A) =>■ 
[V j . i 7^ j => arrayRead(arrayWrite(A,i,v, f),j) — arrayRead(A, j)] 

[A 8 ] \/Aivf.^[i< arrayLen(A)] =4> 
[V j .j < arrayLen(A) => array Read ( array Write ( A, i,v , /) , j) = arrayRead(A, j)] 

[Ag] V Aiv f .-<[i < arrayLen(A)] =>• 
[V j . arrayLen(A) < j A j < i =>• arrayRead(arrayWrite(A, i, v, f),j) = SOME(f)] 



Fig. 6. The semantics of resizable arrays 



A. 4 Natural numbers 

Numeric reasoning played an important role in this project. Although no deep 
number-theoretic results were needed, it was still necessary to introduce all the 
usual arithmetic operations, including the remainder operation, and derive many 
simple results for them. We start by introducing the natural numbers as an 
algebraic datatype: 

datatype Nat = zero | succ(Nat) 

This definition automatically generates the following axioms: 

V x . zero 7^ succ(a;) 

V x, y . succ(x) = succ(y) =>• x = y 

V x . x — zero V (3 y . x = succ(y)) 

which are then added to the assumption base. 

Next, we introduce function symbols for the predecessor operation: 

declare pred: Nat — ► Nat 

as well as for (binary) addition, subtraction, multiplication, division, and re- 
mainder: 

declare +,—,*, div, mod : Nat — ► Nat 

We also introduce operators for numeric comparisons: 

declare <, <: Nat x Nat — > Boolean 
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The semantics of these symbols are given via equational axioms (possibly 
conditionally equational axioms) that capture the usual primitive recursive defi- 
nitions of these operations. For example, predecessor is defined as a total function 
as follows: 

pred(zero) = zero A V x . pred(succ(x)) = x 

The definition of binary addition is given via the two axioms: 

V y . zero + y = y 

V x, y . succ(x) + y = succ(a; + y) 

The definitions of subtraction, multiplication, and numeric comparisons are given 
by the following axioms: 

V x . zero — x = zero 

V x . x — zero = x 

V x, y . succ(ir) — succ(y) = x — y 
V y . zero * y = zero 

V x, y . succ(x) * y = y + (x * y) 
V x . (x < zero) = false 

V x . (zero < succ(a;)) = true 
V x, y . (succ(x) < succ(y)) = x < y 

The less-than-or-equal symbol is defined in terms of less-than: 

x<y<^x = y\/x<y 
The definitions of quotient and remainder arc as follows: 

V x . x div zero = zero 

V x, y . x < y => x div y = zero 

V x, y . (y =/= zero) A ->(x < y) => x div y = succ((.t — y) div x) 

V x . x mod zero = x 

V x, y . x < y =4> x mod y = x 

V x, y . x < 2/=>x mod y = x 

V x,y . (y ^ zero) A ->(x < y) => x mod y = (x — y) mod y 

From the above definitions, a number of useful properties can be derived, 
e.g., that addition is commutative. Most of these properties are derivable only 
with the aid of a mathematical induction principle — in our case, structural in- 
duction on the datatype Nat. Structural induction in this case corresponds to 
conventional mathematical induction on the natural numbers. Occasionally it is 
very convenient to be able to use strong induction instead, whereby one induc- 
tively assumes the truth of the statement P(n) for all m < n. For instance, the 
so-called "division algorithm" result, which states 

< b => [(a div b) * b] + [a mod b] = a 
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can be readily proved by strong induction but is much more tedious with con- 
ventional induction. In Athena, a strong induction principle on natural numbers 
is currently formulated as a primitive method. Figure 7 depicts some numeric 
results that were needed at various points in the project. Most of them were 
proved automatically by Athena methods that mechanize induction, but a few 
of them required more detailed proofs. The reader can refer to the file nat.ath 
in the source code listing for details. 
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1. 


yx,y,z.x<yAy<z^x<z 


2. 


V a?, y . x < y =?■ -i(y < x) 


3. 


Vx . -i(x < x) 


4. 


Vx, y.x<y=?x<y 


5. 


Vx . x < succ(s) 


6. 


Vx, y . x < succ(y) <^> [x — y V x < y] 


7. 


Vx, y . x < y => x < succ(y) 


8. 


Vx, y.x<yAy<z=?x<z 


9. 


Vx, y.x<yAy<z=?x<z 


10. 


Vx, y.x<y=?x^£y 


11. 


Vx . x ^ zero =?■ zero < x 


12. 


Vx . x ^ zero => [3 y . y < x] 


13. 


Vx, y . x < y => succ(i) < y 


14. 


V a:, y . x + zero — x 


15. 


V x, y . x + succ(y) — succ(a; + y) 


16. 


\/ x.y . x -\- y — y + x 


17. 


V x,y, z . x + (y + z) — (a; + y) -\- z 


18. 


V x, y . ^(y < x) =^ x + (y — x) = y 


19. 


V x. y . zero < y => [(x div y) * y] + x mod y — x 


20. 


V x, y . zero < y => x mod y < y 


21. 


V x, y . zero < y A [succ(x) mod y — zero] =?- succ(x dit; y) — succ(i) div y 


22. 


y x,y. z,w . x = succ(y) A succ(y div z) — w A zero < z A succ(y) mod z — zero => 




X = w * z 


23. 


V x, y . zero < a; A zero < [succ(x) mod y] => (succ(x) mod y) — succ(x mod y) 


24. 


V a:, y, z, w . x — succ(y) A succ(y div z) — w A zero < z A zero < succ(y) mod z => 




x — pred(w) * z + x mod z 


25. 


Vx,y,z.x<y=S>x div z < y div z 


26. 


V x, y, z . x < y => x * z < y * z 


27. 


\/x.y.z.x<yAy<z=?x<z 


28. 


V x . x < pred(x) 


29. 


V x, y . zero < y => (a: * y) div y — x 


30. 


Vx,y.x<x + y 


31. 


V x, y . pred(x) < y A y < x => succ(y) — a; 


32. 


V x. y . x < succ(y) ^ x — y V x < y 


33. 


V x.y.z.x < y => x < y + z 


34. 


V x, y . (x dii> y) * y < x 


35. 


Vx,y,z.x + y = 2 + y^x — z 


36. 


V x.y.z. zero <yAx*y — z * y =2> x = 2 


37. 


y x.y. z . zero < y A x < pred(y) =2> a: < y 


38. 


Vx,y.x<y=>x<y 


39. 


V x.y . x — y =? -*(x < y) 


40. 


V x, y . x < y =?- succ(x) < y 


41. 


V a: . zero < x 


42. 


Vx,y.x<yVx = y V y < x 


43. 


V x . zero mod a; — zero 


44. 


V x . szInv(zero, zero, x) 


45. 


y x, y, z, w . szlnv(x, y. z) A x < w A zero < z => pred(y) < (w div z) 


46. 


V x, y, z : w . szlnv(x, y. z) A w < x A zero < z A zero < y =?- (w div z) < y 


47. 


yx.y.z. zero <zAx^y=>(x div z) ^ (y dzi> 5:) V (x mod 2) ^ (y mod 2) 



Fig. 7. Useful results about the natural numbers. 



